I studied the photo to see if I could spot the Internet-connected thermometer, and then finally noticed that the caption said "Ethan Miller/Getty Images", and only after that saw that it also said, "An aquarium at a casino — not the one in question."
Forbes who wrote an earlier story did the same thing, but with a Shutterstock photo[1]. At least the original source of the story (the cyber defense company) used an illustration so it was obvious that it wasn't the real thing[2].
What the article doesn't mention: IoT devices are harmful not only because they are vulnerable. They can be used to collect data on users. Every enterprise aims to get as much profit as possible; collecting users' data and selling them later obviously gets you more profit than not collecting.
Why would a thermometer need to connect to the Internet in the first place? It is absolutely unnecessary. The software could be installed on a server in a local network or even inside the thermometer itself.
I think the reason why these devices require an Internet connection is that vendors just want to lock user to their servers and collect "anonymous statistics" from them.
Why would a thermometer need to connect to the Internet in the first place? It is absolutely unnecessary. The software could be installed on a server in a local network or even inside the thermometer itself.
Seriously? This is not obvious?
What's the upper bound on the number of aquariums that a large facility might have as decor, decorative dividers, etc? 10? 50? 200? More?
At a commercial scale having people go to each one is no more viable than Google using web managed network switches would be, or than using individual residential thermostats in a large office building. It might be possible, but it would be slow and error prone.
Installing an in house server would be no better, but for different reasons of getting IT involved either for the server or for local software on a PC (locked down possibly and unable to install or run unrecognized apps). "Hi, this is Bob in maintenance, we'd like to install some software that will scan the network for" "NO." "But the fish!" "NO."
For that matter had these been properly segregated on an "IoT" network neither of those would have worked well anyway. If you're handling financial data like that in a regulated environment, nothing from the IoT network should be able to reach to protected systems. There's a case for the protected network to be able to reach to IoT, but there are also reasons to not allow it.
Frankly, having devices like that able to reach out to a cloud management system makes a lot of sense for both the client and vendor (subscriptions, lock-in, etc). The problem is allowing them on a supposedly secure network.
Edit: added "residential thermostats" because it seems more appropriate here than my initial example
This reminds me of "cloud cameras" which seem to be getting more and more popular, and the absurdity of the whole situation.
Years ago, the standard was "IP cameras" which you basically connected to directly and they would stream video to you. Now these cameras stream video to some remote server, so the output from a camera which might be sitting only tens of meters away, goes maybe thousands of miles out into the Internet, crossing a geopolitical border or several, before coming back in. IMHO it's absolutely disgustingly inefficient in addition to all the privacy risks.
Of course the makers claim this is so you can watch from anywhere, but a lot of those old "dumb"(?) IP cameras could be configured to upload video to a remote server if you wanted, and one under your control.
Relatedly, the musings of a coworker who wondered why IM'ing someone sitting less than 10ft away in the office should even require a working Internet connection --- because his message gets sent far away and then back, in a horrificly wasteful loop, instead of going directly from computer to computer within the LAN.
> Why would a thermometer need to connect to the Internet in the first place? It is absolutely unnecessary.
It’s strictly unnecessary, but it’s a bit convenient for NAT-piercing and enabling remote monitoring and management.
It’s like everything else: there’s a trade off between certain conveniences and security/privacy. For some people, the line is strongly on the side of security and for others, the line is more favorable to convenience.
I live in Phoenix, and regularly set my thermostat en route to my house after being gone awhile. I have scripts that set it to away automatically when my phone leaves the network.
It saves me quite a lot of power yearly.
(I feel guilty for contributing to these sorts of pedantic HN threads, but there you go)
Really? And who will support that on-premise "thermo-server"? Who'll security update it? run sw upgrades? Solve misconfigured networks? Replace a faulty network adapter?
It could just be ease of maintenance; if a server on AWS goes down, you can fix it from anywhere, or fall back on blaming Amazon.
If an on-site server goes down, odds are you might need to go on site, especially if the whole thing is separated from the internet to avoid leaking "anonymous statistics."
Regulation to try to prevent weak links in a still perimeter-security-based design is hopeless. We need to stop substituting network of origin for real authentication and authorization systems.
Didn't that Wired article about the Jeep hack tell us something about how well that sometimes gets implemented?
From memory, there was an "untrusted trusted entertainment system" network segment, and a firewall which allowed one-way traffic out of the "trusted" vehicle management network (so the entertainment system could get car speed and similar), and the firewall could have it's firmware updated. From the untrusted network segment...
How does a hack like this work? Is the device somehow connected to the Internet, the attackers take over the device, then since that device has access to the casino network, the attackers could then see anything that wasn't secured on the network?(basically anything that relied on the network being secure for their security?)
I don't know exactly what happened in this case, because they're not sharing details, but I've done similar things in a lot of pen tests.
Your assumption is pretty accurate. Whatever internet-facing device is compromised is then used as a gateway onto the internal network, and a conduit for getting data back out if necessary. With access to the internal network, it's usually much easier to find things like systems with default/weak passwords, exploitable services, and so on.
It usually takes a couple of steps, like hopping from the initial system onto something that has interesting credentials stored/cached on it, and from there on to the things that are actually of interest. Every once in awhile, I'm lucky, and the initial point of compromise has super-privileged credentials on it, but that just makes things easier.
If vendor's website has a vulnerability like CSRF (which are very common because browsers allow cross-domain GET/POST requests by default and developers often don't realise they should block such requests) then the attacker can gain control over IoT device if they make an employee visit their page.
At this point I wouldn't be surprised if the high roller database itself were stored on its own IoT device linked to some "high roller analysis as a service" platform.
You’d think these companies would use VLANs or at a minimum a router or layer 3 switch to segregate camera, critical services and fish tank IoT network traffic.
The original source[1] claims that the casino did take some precautions (a VPN) but still doesn't clearly explain how the failure occurred: "A North American casino recently installed a high-tech fish tank as a new attraction, with advanced sensors that automatically regulate temperature, salinity, and feeding schedules. To ensure these communications remained separate from the commercial network, the casino configured the tank to use an individual VPN to isolate the tank's data. However, as soon as Darktrace was installed, it identified anomalous data transfers from the fish tank to a rare external destination. Communications took place on a protocol normally associated with audio and video."
It doesnt mention any details of how the data was actually stolen using the thermometer. It doesnt even explicitly say that the thermometer was an IOT device. "Hacked through a thermometer" could mean so many things
Right now /r/movies is having a laugh about a scene from Rampage where a character hacks a corporate network through a thermostat. Much as I love a good chuckle at "Hollywood hacking", this is a thing that can actually happen.
I think the big difference between reality and a lot of Hollywood hacking is 1. the time it takes 2. how elaborate it always have to be 3. the fact that during the initial exploration they would most likely find an even easier point of attack.
Maybe the fish tank shouldn't be on the same network as high value assets. That way, vending machines could be accessed by the fish tank but not the mission critical data.
It's likely that was the protocol, but it wasn't followed. It usually comes down to actions of a Pointy Haired Boss rather than some glaringly obvious hole in their security plan.
[+] [-] mysterypie|8 years ago|reply
Forbes who wrote an earlier story did the same thing, but with a Shutterstock photo[1]. At least the original source of the story (the cyber defense company) used an illustration so it was obvious that it wasn't the real thing[2].
[1] https://www.forbes.com/sites/leemathews/2017/07/27/criminals...
[2] https://www.darktrace.com/resources/wp-global-threat-report-... (see page 8)
[+] [-] fjsolwmv|8 years ago|reply
[+] [-] codedokode|8 years ago|reply
Why would a thermometer need to connect to the Internet in the first place? It is absolutely unnecessary. The software could be installed on a server in a local network or even inside the thermometer itself.
I think the reason why these devices require an Internet connection is that vendors just want to lock user to their servers and collect "anonymous statistics" from them.
[+] [-] fencepost|8 years ago|reply
Seriously? This is not obvious?
What's the upper bound on the number of aquariums that a large facility might have as decor, decorative dividers, etc? 10? 50? 200? More?
At a commercial scale having people go to each one is no more viable than Google using web managed network switches would be, or than using individual residential thermostats in a large office building. It might be possible, but it would be slow and error prone.
Installing an in house server would be no better, but for different reasons of getting IT involved either for the server or for local software on a PC (locked down possibly and unable to install or run unrecognized apps). "Hi, this is Bob in maintenance, we'd like to install some software that will scan the network for" "NO." "But the fish!" "NO."
For that matter had these been properly segregated on an "IoT" network neither of those would have worked well anyway. If you're handling financial data like that in a regulated environment, nothing from the IoT network should be able to reach to protected systems. There's a case for the protected network to be able to reach to IoT, but there are also reasons to not allow it.
Frankly, having devices like that able to reach out to a cloud management system makes a lot of sense for both the client and vendor (subscriptions, lock-in, etc). The problem is allowing them on a supposedly secure network.
Edit: added "residential thermostats" because it seems more appropriate here than my initial example
[+] [-] userbinator|8 years ago|reply
Years ago, the standard was "IP cameras" which you basically connected to directly and they would stream video to you. Now these cameras stream video to some remote server, so the output from a camera which might be sitting only tens of meters away, goes maybe thousands of miles out into the Internet, crossing a geopolitical border or several, before coming back in. IMHO it's absolutely disgustingly inefficient in addition to all the privacy risks.
Of course the makers claim this is so you can watch from anywhere, but a lot of those old "dumb"(?) IP cameras could be configured to upload video to a remote server if you wanted, and one under your control.
Relatedly, the musings of a coworker who wondered why IM'ing someone sitting less than 10ft away in the office should even require a working Internet connection --- because his message gets sent far away and then back, in a horrificly wasteful loop, instead of going directly from computer to computer within the LAN.
[+] [-] fiddlerwoaroof|8 years ago|reply
It’s strictly unnecessary, but it’s a bit convenient for NAT-piercing and enabling remote monitoring and management.
It’s like everything else: there’s a trade off between certain conveniences and security/privacy. For some people, the line is strongly on the side of security and for others, the line is more favorable to convenience.
[+] [-] matthew-wegner|8 years ago|reply
I live in Phoenix, and regularly set my thermostat en route to my house after being gone awhile. I have scripts that set it to away automatically when my phone leaves the network.
It saves me quite a lot of power yearly.
(I feel guilty for contributing to these sorts of pedantic HN threads, but there you go)
[+] [-] avip|8 years ago|reply
[+] [-] zdragnar|8 years ago|reply
If an on-site server goes down, odds are you might need to go on site, especially if the whole thing is separated from the internet to avoid leaking "anonymous statistics."
[+] [-] woliveirajr|8 years ago|reply
It's just that the attack was part of a new article, and the headline used it to make it sexy.
[0] https://www.forbes.com/sites/leemathews/2017/07/27/criminals...
[+] [-] closeparen|8 years ago|reply
[+] [-] hueving|8 years ago|reply
[+] [-] greglindahl|8 years ago|reply
Even trusted devices are segregated by vendor.
[+] [-] giancarlostoro|8 years ago|reply
[+] [-] icefox|8 years ago|reply
[+] [-] bigiain|8 years ago|reply
From memory, there was an "untrusted trusted entertainment system" network segment, and a firewall which allowed one-way traffic out of the "trusted" vehicle management network (so the entertainment system could get car speed and similar), and the firewall could have it's firmware updated. From the untrusted network segment...
[+] [-] mark-r|8 years ago|reply
[+] [-] mistermann|8 years ago|reply
[+] [-] RandallBrown|8 years ago|reply
[+] [-] blincoln|8 years ago|reply
Your assumption is pretty accurate. Whatever internet-facing device is compromised is then used as a gateway onto the internal network, and a conduit for getting data back out if necessary. With access to the internal network, it's usually much easier to find things like systems with default/weak passwords, exploitable services, and so on.
It usually takes a couple of steps, like hopping from the initial system onto something that has interesting credentials stored/cached on it, and from there on to the things that are actually of interest. Every once in awhile, I'm lucky, and the initial point of compromise has super-privileged credentials on it, but that just makes things easier.
[+] [-] sooper|8 years ago|reply
[+] [-] codyb|8 years ago|reply
Take over the thermometer and you can send requests to the database as a whitelisted ip.
[+] [-] codedokode|8 years ago|reply
[+] [-] shaunol|8 years ago|reply
[+] [-] 21|8 years ago|reply
[+] [-] leonroy|8 years ago|reply
[+] [-] mysterypie|8 years ago|reply
[1] https://www.darktrace.com/resources/wp-global-threat-report-...
[+] [-] logicallee|8 years ago|reply
You assume way too much. I bet half the fish in that tank never even got a background check
[+] [-] Spooky23|8 years ago|reply
[+] [-] advaitruia|8 years ago|reply
It doesnt mention any details of how the data was actually stolen using the thermometer. It doesnt even explicitly say that the thermometer was an IOT device. "Hacked through a thermometer" could mean so many things
[+] [-] bitwize|8 years ago|reply
[+] [-] abricot|8 years ago|reply
[+] [-] IncRnd|8 years ago|reply
[+] [-] freeloop10|8 years ago|reply
[+] [-] gruzh|8 years ago|reply
[+] [-] sbassi|8 years ago|reply
[+] [-] matte_black|8 years ago|reply
[+] [-] paulie_a|8 years ago|reply
It's also fairly easy to vet the data.
[+] [-] rainieri|8 years ago|reply
[+] [-] ohNoesCasinos|8 years ago|reply
[deleted]